No, Shareholders Don't Get To Sue Heartland Just Because It Leaked More Data Than Anyone Else

from the that's-not-how-it-works dept

Last year, Heartland Payment Systems, leapt into the lead as being the company with the largest data breach of all time (well, that we know of), when it potentially leaked the personal info on somewhere over 100 million people. As typically happens in these sorts of things, a shareholder lawsuit was quickly filed from bummed out shareholders pissed off that the stock dropped (like off a cliff) following the announcement. But, of course, for there to be liability it takes a lot more than just the stock to drop, so it comes as little surprise that the lawsuit has been tossed, as the court said there was no evidence that Heartland execs knew their data was exposed. Friendly reminder to litigious shareholders: just because the company screws something up, it doesn't mean you get to sue.

I disagree...

Seems to me, depending on the circumstances, the stockholders could sue for gross negligence. I'd be willing to bet their (Heartland's) security was no where near what it should have been for the type of business they do. This is actually a HUGE problem with many companies, they treat their customer's data (including extremely sensitive financial data) much to cavalierly, and they are not held accountable when their inadequate precautions contribute to a security breach. They should actually be facing criminal charges for allowing such a breach, but I'm sure that won't happen.

They had a public facing logon page that was susceptible to an SQL Injection attack in an organization that processes hundreds of millions of credit card transactions according to allegations in the amended complaint that got dismissed.

How could anything be more indicative of company wide negligence to not have cleaned this basic vulnerability up years ago? IMHO.